Credit card hackers and hotels

Last week, the New York Times reported an interesting story: the hotel industry is a favorite target of hackers.

A study released this year by SpiderLabs, a part of the data-security consulting company Trustwave, found that 38 percent of the credit card hacking cases last year involved the hotel industry. The sector was well ahead of the financial services industry (19 percent), retailing (14.2 percent), and restaurants and bars (13 percent).

Why hotels? Well, to paraphrase the bank robber Willie Sutton, hackers hit hotels because that is where the richest vein of personal credit card data is. At hotels with inadequate data security, “the greatest amount of credit card information can be obtained using the most simplified methods,” said Anthony C. Roman, a private security investigator with extensive experience in the hotel industry.

“It doesn’t require brilliance on the part of the hacker,” Mr. Roman said. “Most of the chronic security breaches in the hotel industry are the result of a failure to equip, or to properly store or transmit, this kind of data, and that starts with the point-of-sale credit card swiping systems.”

The sophistication of such systems can vary widely from one hotel to the next, even within the same corporate chain, making it an easy route for hackers.

The Trustwave report said that “organizations large and small were found to be moving forward with plans to implement new technology, while leaving basic security threats overlooked.”

There are high tech ways to target hotels and low tech ways to do it. Some companies are used to handling data and have policies surrounding it. Microsoft, for example, classifies data into low business intelligence (LBI), medium business intelligence (MBI) and high business intelligence (HBI). Information that is HBI must be encrypted and there are strict guidelines over who has access and how the data must be stored. HBI would be customer’s financial information.

Hotels, on the other hand, are not technology companies. It is not in their core business to think about information security, they are busy getting people to stay in their hotels, book conferences, provide comfortable beds, keep the rooms clean and replace the “free” towels that people take home with them. Thus, they might be a little sloppy when storing their records, such as saving data in clear text. When data is stored in clear text, anyone can take a look at it. Similarly, many places lock a user out if a password is guessed wrong three times. Places like hotels (like any place) might not have such security policies in place. When talking to the credit card company from a point-of-sale terminal, they might transmit the credit card information in clear text and a man-in-the-middle can pick it up and steal it. They also may not restrict data access to certain high levels of employees, they might print receipts with the entire number printed out instead of putting XXXX in the middle 8 digits and so forth.

The point is that any industry could be prone to something like this, but hotels are where the money is (a lot like why phishers target banks). Banks are used to dealing with security, hotels are not. And hotels often have a lot of people with money passing through them (which explains why they can afford $250 per night). While some industries could be targeted just as much, if not more, the ones with the most money (ie, high spending limits on corporate cards) can be a haven for thieves.